b'          National Science Foundation    \xe2\x80\xa2   4201 Wilson Boulevard     \xe2\x80\xa2   Arlington, Virginia 22230\n                                         Office of Inspector General\n\n\nMEMORANDUM\n\nDATE:            January 12, 2013\n\nTO:              Dr. Subra Suresh, Director, National Science Foundation\n\n\nFROM:            Allison C. Lerner /s/\n                 Inspector General\n\nSUBJECT:         Federal Information Security Management Act FY 2012 Independent Evaluation\n                 Report \xe2\x80\x93 OIG Report Number 13-2-003\n\n\nAttached is the Federal Information Security Management Act of 2002 (FISMA) FY 2012\nIndependent Evaluation Report. In accordance with Office of Management and Budget (OMB)\nMemorandum M-12-20, FY 2012 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, we previously provided the Inspector\nGeneral Section of NSF\xe2\x80\x99s FY 2012 FISMA Report, which was submitted through the OMB\nautomated reporting tool on November 15, 2012.\n\nCliftonLarsonAllen\xe2\x80\x99s Independent Evaluation Report includes four new findings as follows:\n\n      \xe2\x80\xa2   NSF needs to improve its patch management process for the timely resolution and\n          mitigation of logical security vulnerabilities.\n      \xe2\x80\xa2   NSF needs to correct the United States Antarctic Program\xe2\x80\x99s (USAP) Certification and\n          Accreditation documentation process to include required elements.\n      \xe2\x80\xa2   USAP needs to review its System Security Plan for consistency with NIST requirements.\n      \xe2\x80\xa2   USAP needs to enforce NSF\xe2\x80\x99s password and account management policies at USAP.\n\nThe report also includes four previous findings, as follows:\n\n   \xe2\x80\xa2      The USAP \xe2\x80\x9cAdvanced Revelation\xe2\x80\x9d suite of applications needs to be replaced.\n   \xe2\x80\xa2      USAP needs to develop, document, and implement a disaster recovery plan for its\n          Antarctica Operations at its Denver data center.\n   \xe2\x80\xa2      NSF needs to remove timely the information technology accounts for separated\n          employees and contractors.\n   \xe2\x80\xa2      NSF needs to improve the security of its network topology as the present design poses a\n          potential security weakness.\n\x0cThe Independent Evaluation was performed in conjunction with the annual financial statement\naudit. A draft of the Independent Evaluation Report was previously submitted to your staff and\ntheir comments are included as an attachment to the report.\n\nIn accordance with OMB Circular A-50, on Audit Follow-Up, we request that NSF submit a\nwritten corrective action plan to our office within 60 days of the date of this memorandum to\naddress the recommendations in the Independent Evaluation. This corrective action plan should\nidentify specific actions your office has taken or plans to take to address each recommendation\nalong with the associated milestone date. We are available to work with your staff to ensure the\nsubmission of a mutually agreeable corrective action plan.\n\nWe appreciate the courtesies and cooperation extended to CliftonLarsonAllen LLP during the\nevaluation.\n\nIf you or your staff has any questions, please contact Brett M. Baker, Assistant Inspector General\nfor Audit, or me at (703) 292-7100.\n\n\nAttachment\n\ncc:    Cora B. Marrett, Deputy Director, Acting, OD\n       G.P. Peterson, Chair, Audit and Oversight Committee\n       Kathryn Sullivan, Senior Advisor, OD\n       Eugene Hubbard, Director, OIRM\n       Amy Northcutt, Chief Information Officer\n       Kelly K. Falkner, Acting Director, OD/OPP\n       Martha Rubenstein, Director and CFO, BFA\n       Susanne LaFratta, Senior Advisor, OD/OPP\n\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c'